The California Privacy Protection Agency (CPPA) recently issued updates to the California Consumer Privacy Act (CCPA) regulations, which became effective on January 1, 2026, bringing the era of "compliance by documentation" to an end. 

For enterprises operating in the modern, composable web where first-party code, third-party services, APIs, and AI agents combine dynamically during live user sessions, these updates introduced rigorous new mandates for cybersecurity audits, risk assessments, and the governance of automated decision-making technology (ADMT).

If there’s one key takeaway from these updates, it's that policy alone is no longer enough. To remain compliant, businesses must move beyond signaling intent through consent banners and prove technical enforcement at the initial point of data creation in the browser runtime.

What’s Actually Changed? 

Under the new rules, companies must proactively evaluate high-risk data activities, back up their security claims with independent audits, and eliminate manipulative user experiences. The regulations also target automated data collection, giving consumers a straightforward way to opt out of tracking and stop algorithmic systems from profiling their behavior.

Here is a closer look at the specific changes:

1. Mandatory Cybersecurity Audits

Starting in 2028 (depending on revenue), businesses meeting the "significant risk" threshold must complete an annual independent cybersecurity audit. These audits must assess the technical effectiveness of the business’s cybersecurity program in protecting personal information from unauthorized access or loss of availability. Crucially, the auditor must be a qualified, objective professional who performs independent testing of actual system evidence—management assertions are no longer sufficient.

2. Data Privacy Risk Assessments

Before initiating any high-risk processing activity, businesses must conduct and document a thorough risk assessment. This report needs to identify the benefits of the processing against the potential negative impacts on consumer privacy, such as unauthorized access, discrimination, or psychological harm. These assessments must be updated at least every three years or whenever there is a material change to the processing activity.

3. The Principle of Symmetry

The CPPA now mandates "symmetry in choice”, meaning that the path to opt-out must be as easy and accessible as the path to opt-in. If your website features a prominent "Accept All" button, it needs to be paired with an equally visible "Decline All" or "Opt-Out" button that requires the same number of steps. Asymmetric designs that nudge users toward data sharing are now classified as violations.

4. Prohibition of Dark Patterns

"Dark patterns" are user interfaces designed to subvert or impair a consumer’s autonomy. The CPPA emphasizes that intent does not matter. If your interface's effect is to confuse or trick the user into sharing data, it is a violation. Common examples include "confirmshaming," confusing language, or obstructive consent banners that hide the opt-out option behind multiple clicks.

5. Mandatory Global Privacy Control (GPC) Recognition

A major pillar of the 2026 updates is the requirement to honor Global Privacy Control (GPC) signals. These are universal, machine-readable signals sent by a user's browser (such as Brave or DuckDuckGo), or via extensions that indicate a preference to opt out of all data selling and sharing.

• Automated Enforcement: Businesses must treat a GPC signal as a valid, binding request to opt out of the sale/sharing of personal information and the use of ADMT for profiling.

• Status Confirmation: Effective in 2026, websites are expected to provide a clear indicator to users (e.g., a "GPC Honored" badge) confirming that their signal has been successfully processed at the technical level.

6. Governance of Automated Decisionmaking Technology (ADMT)

The new regulations target Automated Decisionmaking Technology (ADMT) and Profiling because of their power to evaluate, analyze, or predict a consumer’s behavior, location, or interests. 

The CPPA defines ADMT as technology that replaces or substantially replaces human decision-making. 

While the law heavily regulates automated profiling in contexts such as location tracking or behavioral analytics, it draws a specific line around ADMT rules: they apply to automated "significant decisions" rather than to standard consumer advertising.

In the modern composable web, profiling happens in the browser. Ad targeting pixels, social media tags, and AI-driven personalization engines aggregate live contextual signals and behavioral patterns in real time. The risk is two-fold:

1. Privacy Exposure: Personal data is often accessed and enriched by third-party scripts before backend safeguards can take effect.

2. Strategic Loss of Control: These technologies often "over-collect," turning proprietary customer signals into model fuel for external AI platforms.

Businesses using ADMT for "significant decisions" (like hiring, housing, or financial services) or "behavioral profiling" for ad targeting face new obligations:

• Pre-use Notice: Businesses must provide a notice explaining why they use the ADMT, how it works, and the consumer's right to opt out.

• Opt-out Rights: Consumers generally have the right to opt out of the business's use of ADMT, requiring the business to stop processing their information using that technology.

• Access Rights: Consumers who do not opt out can request information about how the ADMT worked for them specifically, including the key factors that affected the output.

To prevent standard office software and web infrastructure from accidentally triggering these heavy compliance obligations, the regulations explicitly carve out several everyday technologies. As long as they do not actively replace human decision-making, the following are not considered ADMT:

• Web & Infrastructure Tools: Web hosting, domain registration, networking, caching, website-loading, and data storage.

• Security & Filtering Software: Firewalls, anti-virus, anti-malware, and spam and robocall filtering.

• Basic Administrative & Productivity Software: Spellchecking, calculators, databases, and spreadsheets.

Who Needs to Comply and When?

The updated regulations apply to any business already subject to the CCPA. However, the new requirements for cybersecurity audits and risk assessments specifically target organizations whose processing of personal information presents a "significant risk" to consumer privacy or security.

This includes businesses that:

• Meet specific revenue thresholds and process the personal information of 250,000 or more consumers annually.

• Process the sensitive personal information of 50,000 or more consumers annually.

• Use Automated Decisionmaking Technology (ADMT) for significant decisions or extensive profiling.

Businesses required to complete cybersecurity audits must submit certifications to the CPPA by:

• April 1, 2028, if the business makes over $100 million;

• April 1, 2029, if the business makes between $50 million and $100 million, or

• April 1, 2030, if the business makes less than $50 million.

Businesses subject to risk assessment requirements must begin compliance by January 1, 2026. By April 1, 2028, they must submit to the CPPA:

• An attestation that required risk assessments were completed, and

• A summary of their risk assessment information.

Additionally, Businesses that use ADMT to make significant decisions must comply with the ADMT requirements beginning January 1, 2027.

Enforcement and Investigations

The CPPA maintains a strict supervisory role through several mechanisms:

• Investigations: The agency can initiate investigations based on sworn public complaints or on its own initiative.

• Probable Cause and Audits: The Agency may conduct "probable cause" proceedings to determine if violations occurred. It also has the authority to conduct announced or unannounced audits of any business, service provider, or contractor to ensure compliance with the CCPA.

• Technical Scrutiny: Recent enforcement actions (including multi-million-dollar settlements in 2026) show that regulators are looking for more than written policies; they are comprehensively testing opt-out mechanisms to ensure they work across all devices and services.

  
  

The Cost of Non-Compliance: Fines and Penalties

If a business fails to prove compliance, meaning it cannot provide the required risk assessments or demonstrate that its technical controls actually work, the financial consequences are severe:

• $2,663 per violation for unintentional non-compliance.

• $7,988 per violation for intentional violations or those involving the personal information of minors.

(Source)

Beyond administrative fines, the CPPA and the Attorney General can seek:

• Permanent Injunctions: Forcing a business to stop using specific profiling technologies or halting business operations entirely until compliance is proven.

• Statutory Damages: In the event of a data breach, consumers may seek damages ranging from $100 to $750 per incident, creating significant class-action exposure.

The Hidden Risk: Third-Party Script Proliferation

Modern websites are no longer single applications. Rather, they are composed in real-time from a massive ecosystem of external services. This "composable web" relies heavily on third-party scripts to power everything from analytics and advertising pixels to AI-driven chatbots and payment processors.

The scale of this exposure is staggering:

• Average Script Load: Modern checkout pages and high-traffic digital properties routinely load between 30 and 80 third-party scripts.

• Privileged Access: By design, these scripts execute in the browser alongside first-party code and often inherit broad, unmanaged access to the Document Object Model (DOM).

What These Scripts Can Actually Do

Extensive profiling is a major focus of these updates, especially for behavioral advertising, such as that performed by many popular ad-tracking pixels, including Meta, TikTok, and other AI-powered scripts.

Jscrambler’s research into common third-party scripts, including those from major platforms such as Meta and TikTok, highlights the invasive capabilities of overprivileged tags. Because these scripts often operate with "privilege without control," they can perform actions far beyond their declared purpose:

• Real-Time Form Scraping: Scripts can read sensitive user inputs, such as credentials, personal identifiers, or booking codes, as they are typed, long before a user hits submit.

• Data Enrichment & Profiling: Advertising and social media pixels can capture behavioral signals and interaction patterns to build enriched consumer profiles.

• Unauthorized Data Transmission: Scripts can silently transmit proprietary commercial intelligence (like pricing and product mix) or regulated PII to external global advertising platforms or AI systems for model training.

• Invasive Storage Access: Nearly 90% of cookie and browser storage access on major websites is performed by third-party scripts, enabling them to track users across sessions despite backend protections.

  
  

The Vendor Contract Fallacy

Many organizations rely on vendor contracts and due diligence questionnaires to manage these risks. However, these are often insufficient for the modern client-side reality:

• Static vs. Dynamic: Contracts define permitted processing at a single point in time, but scripts update independently and frequently.

• Shadow Tags: Marketing teams or tag managers can inject new code dynamically, bypassing formal security and legal reviews.

• Enforcement Gap: A contract may record intent, but it lacks the technical capability to physically stop a script from over-collecting data at runtime.

The Structural Control Gap: Why Policy is Not Protection

For years, many organizations have relied on CMPs and written policies to manage privacy. Under the new CCPA updates, this approach creates a structural control gap.

A CMP captures a user's intent to opt out, but it does not technically enforce that intent within the browser runtime where data is actually assembled. Once code and data reach the browser—the "point of creation"—traditional backend protections fade. Third-party scripts, advertising pixels, and AI agents often inherit broad privileges, allowing them to access sensitive data fields and transmit information externally, regardless of the user's recorded consent.

Under the updated regulations, the CPPA clarifies that a user interface is a "dark pattern" if it subverts or impairs user choice, even if the business did not intend it to do so. If your CMP records an opt-out, but your client-side supply chain continues to collect and share that data at runtime, you are likely in violation.

Best Practices for the New Compliance Reality

To build demonstrable compliance with the latest CCPA/CPRA mandates, organizations must transition from documented intent to technical enforcement. Relying on backend controls is no longer sufficient when data is assembled, enriched, and transmitted directly within the browser runtime.  

The following expanded best practices provide a roadmap for operationalizing compliance.

1. Continuous Runtime Discovery & Behavioral Mapping

You can’t govern what you can’t see. Traditional static inventories and manual vendor questionnaires fail to account for the dynamic nature of the "composable web," where scripts update independently or are injected via tag managers after deployment.

• Inventory Every Vendor: Maintain a real-time, session-level inventory of all third-party and fourth-party scripts, including those from major platforms like Meta and TikTok.

• Behavioral Context: Move beyond basic script lists to map exactly what data elements, such as login fields, personal identifiers, or cookies, each script is accessing in production.

• Detect Behavioral Drift: Monitor for "drift" where a previously approved script suddenly changes its functionality or begins accessing new, sensitive DOM elements.

• Vendor Contract Alignment: Continuously compare live script activity against the data processing permissions defined in your vendor contracts. By monitoring changes in script behavior, permissions, or data exfiltration destinations, you can detect technical contract violations in real time and identify when a vendor begins capturing data they are not legally authorized to access.

2. Enforce Least-Privilege in the Browser

Compliance now requires precise, technical restrictions on what scripts can do once they execute, thereby enforcing the principle of least-privilege in the browser runtime. This is necessary to help ensure privacy preferences are respected and prevent over-privileged third-party scripts from scraping data they don't need for their primary function.

To meet this technical requirement, it is recommended that mechanisms like "Form Fencing" and "Element Fencing" be deployed. These provide the necessary granular controls, which include:

• Data Fencing: Define granular rules that block scripts from reading specific sensitive fields, such as PII or booking codes, long before a user hits submit.

• Storage & Cookie Fencing: Regulate how third-party tags interact with local browser storage and cookies to prevent unauthorized tracking or cross-session profiling.

• Function Isolation: Isolate scripts, ensuring they only interact with the specific DOM objects and APIs they are authorized to use.

  
  

3. Immediate Technical Opt-Out Enforcement

Under CCPA/CPRA, organizations are liable if personal data is shared or sold unintentionally via third-party scripts after a consumer opts out. Procedural opt-outs that rely on backend deletion alone do not prevent real-time client-side harvesting.

• Runtime Blocking: When a consumer triggers an opt-out preference signal, translate that intent into an immediate technical barrier in the browser.

• Prevent Silent Collection: Ensure that scripts from advertising pixels or social media trackers are blocked from capturing behavioral signals the moment the opt-out is recorded.

• Least-Privilege by Context: Automatically adjust script permissions based on the page type, for example, tightening controls on payment or login pages compared to a home page.

4. Network Exfiltration & AI Input Control

Profiling and data sharing risks are ultimately defined by where data is sent. Organizations must govern outbound transmissions at the session level to prevent unauthorized data sharing with external ad-tech or AI systems.

• Destination Whitelisting: Restrict outbound network requests initiated by JavaScript to only approved, verified destinations.

• AI Guardrails: Control exactly what feeds external AI systems or agents before sensitive contextual data, like proprietary pricing or regulated health information, leaves the browser runtime.

• Block Shadow Data Flows: Neutralize unauthorized data exfiltration attempts in real-time without disrupting the legitimate user experience.

5. Demonstrable Audit Trails & Telemetry

Risk assessments and compliance reports are only as valuable as the evidence supporting them. Demonstrable compliance requires verifiable proof that controls were active and effective during live sessions.

• Continuous Evidence: Generate detailed telemetry on every enforcement decision, including blocked behaviors, unauthorized data access attempts, and script changes.

• Audit-Ready Reporting: Produce assessment-ready reports for internal compliance teams and external auditors that prove software integrity and data governance policies were technically enforced.

• Incident Investigation: Use granular runtime event logs to investigate how specific sensitive fields were accessed or where data was transmitted during a suspected event.

  
  

Secure the Point of Creation

The days of "set it and forget it" privacy are over. With California leading the charge on regulating personal data collection and automated profiling in the US, the browser is officially your new security perimeter.

The new CCPA requirements represent a shift toward enforceable privacy. By governing execution where digital interactions are formed, enterprises can close the structural control gap, protect customer trust, and meet the high bar set by the CPPA.

Jscrambler’s Client-Side Security Platform provides the missing control layer required for this new era. By governing execution at the point of creation, we help enterprises transform CCPA policy from an aspirational document into a technical reality—ensuring you don't just "pass" your risk assessment, but actually protect your customers, your brand, and your bottom line.